Massive Java Update Includes Security Fixes

Sun has released another update to its Java software that brings some 370 bug fixes, including a number of security updates.

For most home users, this update brings the latest version of the software to Java 6 Update 4. Most Windows users will have some version of Java on their systems, and since there are no shortage of malware samples that exploit older Java security holes to break into systems, it's a good idea to patch this software even if you never remember using it.

The update is available for Windows, Linux and Solaris systems, from this link here.

To see if you have Java installed, check out the Add/Remove Programs listing from the Windows control panel. Sun calls it Java SE Runtime Environment 6, but it's displayed in the Windows Add/Remove Programs list as Java(TM) 6). You could also just visit Sun's Java homepage and click on the "Do I have Java" link at the top, then the "Verify Installation" button. When I did that on a machine with Java 6 Update 3 installed, the page came back with a message congratulating me for having the latest version installed.

If you're a home user and have any versions older than this latest update installed (most Windows users will probably have multiple Java versions installed, as the installer doesn't remove previous versions), remove them after installing this update.

As a reminder, new versions of Java do not uninstall old ones automatically. This preserves some backwards compatibility issues with the software and older java applications that were version specific.

However, malware can make calls to older versions that still reside on your system, and many trojans are spread this way. Unless you know that you need an older version, you should uninstall all older versions from the system.

A SSMD: Flash also has a habit of sticking around. Do a scan at Secunia (BK has linked to the site before) to see if you have old versions. Unfortunately you cannot use add/remove programs to get rid of old Flash versions. There's a specific removal tool available at www.macromedia.com/go/14157

Gee, that was interesting. I selected on-line install, but it downloaded the installer to the Firefox program folder. After I got that straightened out and went to Add & Remove and started to get rid of .3 Spybot S&D asked if I wanted to remove .4! I took a chance and Allowed. Then went to the Java site and it says .4 is working. Phew!

One other thing about Flash... In my experience, you have to update Flash separately for Firefox and IE. For the last several updates, whenever I've gone to Adobe's site, the browser I was using (Firefox) was the only one updated, and tools like Secunia's PSI reminded me to update the relatively unused copy installed for IE...

"Prior to 5.0 Update 6, an applet could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed on the Windows platform, all applets are executed with the latest version of the JRE."

So, as long as you are using at least build 1.5.6, java applets cannot call older, vulnerable versions of Sun Java.

That being said, each version of Sun Java takes up over 100 megabytes of space on the hard drive - just that fact is sufficient reason to remove old builds.

"Prior to 5.0 Update 6, an application could specify the version of the JRE on which it would run. With 5.0 Update 6 and later installed, unsigned Java Web Start applications that specify a version other than the latest installed will trigger a warning, requiring explicit user permission before the application will run. Signed Java Web Start applications are not affected."

Angus Scott-Fleming, FCS is the live version, not a beta. It is Sun's way of saying that it is the first version worthy of public consumption, First Customer Ship. Sun has a beta, early access and alpha classification, and you will see them marked appropriately.

When I first read BlechSpeak's comment, and responded, my thinking was that advice is incorrect. Now, I see that it is correct, but only with the proviso
that the user must specifically approve the applet to run and ignore the prompt to update. The most problematic versions of Java in each family are certainly below the security baseline, so there are layers
of protection there.

I've tried repeatedly to update to 6u4 on multiple systems which have 6u3 installed and they have invariably told me that I don't need an update. The only way to get 6u4 right now is to download it manually and install it. When is it going to be released as a formal update? That IMHO is when it's no longer a (late-stage) beta ;-)

Java SE 6u4 is a formal update, I assure you. Update releases always go on java.sun.com, but they may or may not go on java.com and auto-update. It is not because the software is unfinished in any way. It is a careful decision made by people wiser then myself, which takes in a large number of factors.

Wow - it's not often that you get a chance to communicate directly to a developer working for a major vendor.

So here's my feedback about java updates which I have to try and manage in an enterprise environment...some of which have been raised already.

1. Java versions are confusing. Is it v6 or 1.6.0? What's 1.6.0_03-b05? Why is this so complicated? I do not see this with any other vendor.

2. Old versions of Java are left behind when new versions are installed.

3. Why is it that, sometimes several weeks after a new release, the java.com website reports that you have the current & latest version when this is clearly not the case. This is not only misleading, it could be highly dangerous as users could be misled into thinking that they are totally up to date when in fact their machines could easily be exploited by fast-moving malware writers.

To clarify things, I am not a developer of Java SE, but a releaser. I set up new Java software to be downloaded.

To answer your questions:

1. I understand the confusion. The official version is "6u4" or "6 Update 4". The 1.6.0_04 is a left-over naming convention from when we had 1.4.2. We use "6u4" whenever possible, but some of the download mechanisms require the 1.X.X_XX format for consistency. If you look back, it went from 1.4.2 -> 5.0 -> 6. So the difference is a matter of the download software not able to fully keep up with the evolution of the branding.

2. I personally don't know. I used to handle some customer e-mails and the standard response was that you can remove older versions.

3. In one of my previous posts here, I explained how sometimes the latest release does not always go to java.com and auto-update, but it always goes to java.sun.com. So you will sometimes have a later version on java.sun.com, which is the "latest version". As I said, there are good and specific reasons for these decisions. Something to keep in mind is that java.sun.com caters to Java developers, where java.com and auto-update is for users. So it may be decided that some updates are appropriate for programmers to play with, but not for 100 million+ Java users to have right away. If a person is really that concerned about having the latest version, he or she will know to go to java.sun.com. In the end, it all works out, since it is rare for java.com / auto-update to miss out on two updates in a row. Following past history, it is likely that 6u5 will go on java.com and auto-update, which also includes all the changes in 6u4, and much more.

I work with the people that make these decisions and I can assure you that the security of Java on user's machines is a top priority.

Mark, I agree with Nick ; it really is a great pleasure to see you appear on this forum ! I appreciate your frank admission of lack of knowledge as to why new jre updates don't auto-remove older ones, but you will understand that this reply still leaves Sun users like myself wondering. Could you please convey a request to those who do make decisions about this sort of thing to make an explanation of this policy, which I know strikes many users as odd, available on the Sun website ? It would be much appreciated....

I actually think I will need to bow-out here, and leave further questions unanswered. This will be my last post.

I originally posted to clarify a mis-conception, but it has expanded into a back-and-forth discussion. It really is not appropriate for me to carry on like this, and in this venue. Sorry to leave you hanging. :/ I did let the right people know about the concern about previous installations. Maybe that will add momentum to the issue.

While I understand it is not always possible, the BEST solution is to forego Java all together.

As policy, Java is NOT installed on any work systems UNLESS there is a specific need that can be justified! Such a policy should be highly considered for home users as well. Be sure to evaluate other software too (ex. QuickTime, RealPlayer, Adobe Reader. etc.)

Overall, this will lower a system's attack surface and reduce the need to patch many pieces of software.

@ Mark and his employer: I hope that Mark isn't in-trouble for communicating directly with the user community. Tech implementors can be good communicators, too! :-)

@ Brian Krebs: While Sun considers this new version of Java Standard Edition to be a public release, none of Sun's typical client-side updater or version checking mechanisms are pointing people towards this update. I have confirmed this on multiple Win XP Pro machines with a couple different and older versions of this software. Please consider clarifying this point in your blog posting above -- that is not clear.

As always, thank you for helping to keep the IT community informed of security related news and changes.

I've uninstalled Java, Quicktime, and Realplayer from all of my systems.

These three seem to reveal security holes each month. And I rarely use them. Java is only needed for custom applications. Quicktime is used mainly for movie trailers. Any site which has Realplayer-formatted content typically offers it in other formats as well.

Flash is an annoying necessity but I only install it in Firefox; the Flashblock extension keeps Flash at bay until I see fit. Never install it in I.E.

Brian,
Your link to download Java 6U4 shows two ways to install, (for a 32bit machine) one is an on-line install with a file size of less than 1MB and the other is an offline install with a file size of more than 15MB. I don't know why there is such a big difference in file sizes and I don't know which one to install. Need your advice. Thanks

@Krisha -- It doesn't much matter whether you do an offline or online install. The offline one will probably be faster, though. The difference in file size is that one is a compression version of the program, whereas the 1mb installer downloads most of the components to be installed from Sun's site.

The online installer is initially only around 400KB. It will download only the files that it thinks you need, based on the env. It usually only downloads about 9MB total, which is much less than the 15MB offline installer.

@macuser-- Apple licenses the Java client but Apple itself is responsible for incorporating fixes into its version of Java. Apple does not have a stellar track record of timeliness in shipping Java patches, and has been known to wait more than a year after Sun has fixed the bugs to ship an update that fixes the same flaws in the version for OS X.

Keep in mind that those are just the fixes. There are plenty of bugs left outstanding! You can go look them up at bugs.sun.com. (It appears that people "vote" on them to bump up their priority.) And of course there are also probably bugs that no one has discovered or reported yet.

All of which is Very Good News. By publishing its bug list, Sun encourages everyone to contribute their own observations and even suggest how to fix the problems. It also gives anyone who wants it, a healthy glimpse of the complexity of the product - kind of like a tour of the sausage factory. In the end, it surely produces a better product, and better-informed consumers, than if the bug list were hidden.

Warning about uninstalling old versions of Java... While I've not yet encountered an issue removing out of date versions of 5 or 6, there ARE a number of programs out there that WILL break unless 1.4.2 is available!

To quote another entry here "Or do we have to uninstall 6.3 before installing 6.4, as was the case when upgrading to previously new Java versions?"

In my experience that has never been necessary in the Java 5 and 6 series... Older versions remove cleanly before or after the new version is in place.

As Brian indicated there can be problems with uninstalling older versions of the JRE as some applications that include the JRE have a static pointer (path) to the JRE (the path has the version number in it so changing it changes the path) and uninstalling it will render the application useless.

There are also issues where an app will install the JAVA JRE in a subfolder of the application rather than in the standard folder that it will normally install.

@BigVal -- Java is one of those programs that will sit on your system until you visit a Web site that serves up some content that requires Java to run. Usually, when that happens (at least on Windows XP) you'll see the little Java icon suddenly pop onto your system tray, along with a little text balloon that says Java TM, and something else.

So you see, it is enough just to have Java on your machine for it be vulnerable. Do as I suggested and check to see if you have Java installed. If you do, apply this update (or get rid of Java).